Prioritize Vulnerabilities Using The CISA Known Exploited Vulnerabilities Catalog

Bert-Jan Pals included in KQL Vulnerability Management Defender For Ednpoint

2023-12-21 1007 words 5 minutes

Due to the sheer amount of vulnerabilities that are being discovered daily, it is difficult to prioritize. This blog will explore the potential of the CISA Known Exploited Vulnerabilities Catalog to help you patch the most needed assets. This is done by discussing KQL queries that can help to find the vulnerabilities that apply to your organisation and find the assets that need to be patched with priority.

What is the CISA Known Exploited Vulnerabilities Catalog? “The Known Exploited Vulnerabilities Catalog is developed for the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog. CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors” - Source: Cyber Security and Infrastructure Security Agency

Catalog Content

The catalog contains vulnerabilities that are known to be exploited by threat actors, at the moment of writing 1050 vulnerabilities have been added to the list. If we zoom in on one of those vulnerabilities (CVE-2023-36584) we can identify different fields that address the information.

cveID: Lists the cveID of the vulnerability.
vendorProject: Lists the name of the product vendor.
vulnerabilityName: Lists the name of the vulnerability.
dateAdded: Lists when the vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog.
requiredAction: Lists the actions that are required when this vulnerability is found in your environment*.
dueDate: Lists when the requiredAction must be completed*.
knownRansomwareCampaignUse: Lists information about ongoing exploits of this vulnerability in ransomware campaigns.
notes: Lists additional notes and remote sources.

{
    "cveID": "CVE-2023-36584",
    "vendorProject": "Microsoft",
    "product": "Windows",
    "vulnerabilityName": "Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability",
    "dateAdded": "2023-11-16",
    "shortDescription": "Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability of security features.",
    "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
    "dueDate": "2023-12-07",
    "knownRansomwareCampaignUse": "Unknown",
    "notes": "https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-36584"
}

(*) Federal civilian executive branch (FCEB) agencies need to complete the requiredAction before the dueDate, this is because they are bound to BOD 22-01. Even though other organisations are not bound to BOD 22-01 is it highly recommended to perform the requiredAction as soon as possible.

Monitor CISA Known Exploited Vulnerabilities Catalog

CISA offers three different solutions to monitor the vulnerabilities:

It is recommended to dynamically ingest and alert new active vulnerabilities in your environment. Ingesting these Known Exploited vulnerabilities would be a valuable source for your SIEM/VM/XDR solution. Ingesting this as a feed would allow you to take a proactive approach to the vulnerabilities.

CISAPy

CISAPy is a small Python command line tool that lets you interact with the CISA Known Exploited Vulnerabilities Catalog. This can help you dynamically monitor the entries of the catalog. This tool can help you to get filtered exports of the relevant vulnerabilities.

CISAPy offers the following functionalities:

Listing (filtered) vulnerabilities
Exporting (filtered) vulnerabilities
Provide statistics on when the vulnerabilities have been added to the list.

CISA Known Exploited Vulnerabilities Catalog & KQL

The vulnerabilities can be dynamically loaded in a KQL query using the externaldata() operator, this can be done both with CSV or JSON input. Listing the vulnerabilities can be done in any place where you execute KQL, such as Log Analytics, Sentinel, Advanded Hunting or Azure Data Explorer as seen below.

/images/cisa-vulnerabilities/ListVulnsFunction.png — ListCISAExploitedVulnerabilites()

KQL Query Link ListCISAExploitedVulnerabilites()

Alert on New Active Vulnerabilities

You want to be proactively informed when a new vulnerability is added to the catalog, this can be done using KQL. It is important to note that not all vulnerabilities might be relevant for your organisation, this could be because you do not use a certain product or vendor. However, it could also be the other way around, that you do use the product, but it is not MDE onboarded, resulting in a lack of visibility. Be aware that it is not a silver bullet!

The query combines the external CSV with the DeviceTvmSoftwareVulnerabilities table, this table contains all the active vulnerabilities on your onboarded assets. The NewThreshold is used to determine how new is defined, in this case, new is if a vulnerability has been added within the last day. The last part of the detection joins the DeviceProcessEvents, you might think heh? why is that? Good question! This is only to ensure that the required fields that are needed are included in the KQL query to be able to create a custom detection. If you use Sentinel that section is not needed.

/images/cisa-vulnerabilities/AlertOnNewVulnerabilities.png — Detect New Active Entries in Advanced Hunting

KQL Query Link New Active CISA Know Exploited Vulnerability Detected

Prioritize Vulnerabilities using KQL

The KQL GitHub repository has a lot more to offer than mentioned in this blog. The Vulnerability Management section provides more than 30 KQL queries to identify, list and prioritize vulnerabilities in your environment!

Passed Due Date

Yes, not all organisations need to comply with the dueDate as mentioned by CISA, but the dueDate is good advice. The likelihood of exploitation of any of the included vulnerabilities in the catalog is high. To ensure that direction/priority can be given based on the dueDate the query as seen below is developed. This query calculates the time between the query execution and the dueDate and puts that in the DueDateExceededByDays column.

DueDateExceededByDays	Meaning
Positive	The dueDate has passed by n days.
Negative	It takes n days before it is dueDate.
zero	It is dueDate

The image below shows some examples of a vulnerable machine. The DueDateExceededByDays and TotalVulnerableDevices can be used to prioritize, while the other fields provide the information needed to patch the systems.

/images/cisa-vulnerabilities/DueDatePassed.png — Due Date Passed Exploited Vulnerabilities

KQL Query Link DueDate Passed CISA Known Exploited Vulnerabilities

Related Blogs

Questions? Feel free to reach out to me on any of my socials.